-/*
- * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- */
+/* Copyright (c) 2006-2010, UNINETT AS
+ * Copyright (c) 2010-2012, NORDUnet A/S */
+/* See LICENSE for licensing information. */
#if defined(RADPROT_TLS) || defined(RADPROT_DTLS)
#include <signal.h>
#include <openssl/md5.h>
#include <openssl/x509v3.h>
#include "debug.h"
-#include "list.h"
#include "hash.h"
#include "util.h"
#include "hostport.h"
static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
SSL_CTX *ctx = NULL;
unsigned long error;
+ long sslversion = SSLeay();
switch (type) {
#ifdef RADPROT_TLS
debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
return NULL;
}
-#if OPENSSL_VERSION_NUMBER < 0x1000002f
- debug(DBG_WARN, "%s: OpenSSL seems to be older than "
- "1.0.0b -- disabling OpenSSL session caching for context %p "
- "to avoid a TLS extension parsing race condition "
- "(http://openssl.org/news/secadv_20101116.txt).", __func__, ctx);
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
-#endif
+
+ if (sslversion < 0x00908100L ||
+ (sslversion >= 0x10000000L && sslversion < 0x10000020L)) {
+ debug(DBG_WARN, "%s: %s seems to be of a version with a "
+ "certain security critical bug (fixed in OpenSSL 0.9.8p and "
+ "1.0.0b). Disabling OpenSSL session caching for context %p.",
+ __func__, SSLeay_version(SSLEAY_VERSION), ctx);
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ }
if (conf->certkeypwd) {
SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);
projects / radsecproxy.git / blobdiff